Re: State diagram for DNSsec key lifecycle
On 10 Feb 2012, at 00:57, Mark Andrews wrote: > I recommend "activate" + "publish" at the same time. Mark, I'ld appreciate knowing your reasoning for preferring this approach over publication for later activation. I suspect I might not be alone. 8-) Best regards, Niall O'Reilly ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: State diagram for DNSsec key lifecycle
In message <92dd72be-8330-490d-8bf9-7b023fdab...@ucd.ie>, Niall O'Reilly writes : > > On 10 Feb 2012, at 00:57, Mark Andrews wrote: > > > I recommend "activate" + "publish" at the same time. > > Mark, > > I'ld appreciate knowing your reasoning for preferring this > approach over publication for later activation. > > I suspect I might not be alone. 8-) You are going from unsigned to signed. There is no benefit in publishing, waiting then activating. > Best regards, > Niall O'Reilly -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: DNSSEC and CVE-2012-1033 (Ghost domain names)
On Thu, Feb 09, 2012 at 12:38:42PM -0800, Casey Deccio wrote a message of 67 lines which said: > Actually, it should, in the spirit of DNSSEC. OK, so there is nothing that can be done at the registry level. Only the resolver admin can use DNSSEC to solve the ghost domain problem, by enabling DNSSEC validation. Correct? ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
RE: State diagram for DNSsec key lifecycle
>>> I recommend "activate" + "publish" at the same time. >> I'd appreciate knowing your reasoning for preferring this > You are going from unsigned to signed. There is no benefit in publishing, > waiting then activating. The IETF draft "DNSSEC Key Timing Considerations" (http://tools.ietf.org/html/draft-ietf-dnsop-dnssec-key-timing-02) goes into great detail about all of this. This draft document expired on 9/11/2011. Is there a successor document and/or other references that you would recommend on this topic? Thanks. Jeffry A. Spain Network Administrator Cincinnati Country Day School ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: DNSSEC and CVE-2012-1033 (Ghost domain names)
On Fri, Feb 10, 2012 at 7:37 AM, Stephane Bortzmeyer wrote: > On Thu, Feb 09, 2012 at 12:38:42PM -0800, > Casey Deccio wrote > a message of 67 lines which said: > > > Actually, it should, in the spirit of DNSSEC. > > OK, so there is nothing that can be done at the registry level. No. > Only > the resolver admin can use DNSSEC to solve the ghost domain problem, > by enabling DNSSEC validation. Correct? > Yes. Unless future specification or implementation designated that delegation follow the same model as trust--that is, that a delegation only last as long as the parent said it did. But I'm not sure that's the right approach, and this seems to me to be somewhat of a niche problem. Casey ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: DNSSEC and CVE-2012-1033 (Ghost domain names)
On Fri, Feb 10, 2012 at 2:27 PM, Casey Deccio wrote: > Unless future specification or implementation designated that delegation > follow the same model as trust--that is, that a delegation only last as > long as the parent said it did. I hadn't previously read Paul's resimprove draft on this topic, but it was newly posted on dns-operations, and it describes this very behavior. http://tools.ietf.org/html/draft-vixie-dnsext-resimprove-00 Casey ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
